<!DOCTYPE html>
<html lang="en">

<head>
	

	


	

	<!--trying to figure out the canonical url issue with blogs-->
	<link rel="canonical" href="https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version" />

	<title>REvil’s new Linux version | AT&T Alien Labs</title>

	

		

	<meta property="og:site_name" value="AT&T Cybersecurity" />
	<meta property="og:title" content="REvil’s new Linux version" />
	<meta property="og:url" content="https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version" />
	<meta property="og:image" content="https://cdn-cybersecurity.att.com/blog-content/Blog-Images/open-graph/best_practices_OG.jpg" />
	<meta property="og:description" content="This blog was jointly authored with Ofer Caspi.

Executive summary

The ransomware-as-a-service (RaaS) operation&nbsp;behind REvil have become one of the most prolific and successful threat groups since the ransomware first appeared in May 2019. REvil has been primarily used to target Windows systems. However, new samples have been identified targeting Linux systems. AT&amp;T Alien Labs&trade; is closely monitoring the ransomware landscape and has already identified four of these samples in the " />
		

		<script type="text/javascript" src="https://platform-api.sharethis.com/js/sharethis.js#property=619c04ec1bd25500123c9511&product=inline-share-buttons" async="async"></script>

	<meta charset="utf-8">

<link rel="preconnect" href="https://cdn-cybersecurity.att.com" />
<link rel="preconnect" href="https://www.att.com" />
<link rel="preconnect" href="https://www.googletagmanager.com" crossorigin />
<link rel="preconnect" href="https://cdn.vidyard.com" crossorigin />
<link rel="preconnect" href="https://cdnjs.cloudflare.com" crossorigin />
<link rel="preconnect" href="https://www.google-analytics.com" crossorigin />
<link rel="preconnect" href="https://play.vidyard.com" crossorigin />
<link rel="preconnect" href="https://adservice.google.com" crossorigin />
<link rel="preconnect" href="https://www.facebook.com" crossorigin />
<link rel="preconnect" href="https://www.google.com" crossorigin />
<link rel="preconnect" href="https://px.ads.linkedin.com" crossorigin />


<style>.async-hide { opacity: 0 !important} </style>
<script>(function(a,s,y,n,c,h,i,d,e){s.className+=' '+y;h.start=1*new Date;
    h.end=i=function(){s.className=s.className.replace(RegExp(' ?'+y),'')};
    (a[n]=a[n]||[]).hide=h;setTimeout(function(){i();h.end=null},c);h.timeout=c;
})(window,document.documentElement,'async-hide','dataLayer',4000,
    {'GTM-WGVFC3T':true});</script>
<link rel="preload" href="https://www.googleoptimize.com/optimize.js?id=GTM-WGVFC3T" as="script">
<script async src="https://www.googleoptimize.com/optimize.js?id=GTM-WGVFC3T"></script>


<script src="https://cdn-cybersecurity.att.com/js/v2/imports/top-bundle.min.js?v=20211221850047"></script>


<link rel="preload" href="https://www.att.com/scripts/adobe/prod/edmDataDefinition.js" as="script">
<link rel="preload" href="https://www.att.com/scripts/adobe/prod/edmDataManager.js" as="script">
<link rel="preload" href="https://www.att.com/scripts/adobe/prod/marketing.min.js" as="script">
<link rel="preload" href="https://www.att.com/scripts/adobe/prod/detm_adobe.js" as="script">
<link rel="preload" href="https://www.att.com/scripts/adobe/prod/engage.min.js" as="script">






<!-- Google Tag Manager -->
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-KLJDXJN');</script>
<!-- End Google Tag Manager -->
<script src='https://www.att.com/scripts/adobe/prod/detm-container-hdr.js' data-restrictions='target' type='text/javascript'></script>


<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="ahrefs-site-verification" content="a6fa0378625f72f89c6f290c3c7559ffee326fb9232cd87fcace798afce3e30d">
<meta name="google-site-verification" content="GTQZz4AGa47UtmP64oC5BB735pkyncjtISHOcQZbIho" />
<meta name="google-site-verification" content="dOSpKecfL6OVRkgr2KvddmhD-l-g3x8vlru1kmbqa9M" />

<link rel="preload" as="font" type="font/ttf" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/zero-width.ttf" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-Bold.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-Regular.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-Light.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-Medium.woff2" />


<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-LightItalic.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-BoldItalic.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-MediumItalic.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-Italic.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-Black.woff2" />

<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/css/fonts/glyphicons-halflings-regular.woff2" />
<link rel="preload" as="font" type="font/ttf" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/av-icons.ttf?e81fxl" />



<link rel="preload" as="style" href="https://cdn-cybersecurity.att.com/css/sass/main.min.css?v=20211221850047" />
<link rel="apple-touch-icon" sizes="144x144" href="https://cdn-cybersecurity.att.com/images/uploads/apple-touch-icon.png"/>
<link rel="icon" type="image/png" sizes="32x32" href="https://cdn-cybersecurity.att.com/images/uploads/favicon.ico"/>
<link rel="shortcut icon" href="https://cdn-cybersecurity.att.com/images/uploads/favicon.ico">
<link rel="manifest" href="https://cdn-cybersecurity.att.com/manifest.json">

<link rel="stylesheet" href="https://cdn-cybersecurity.att.com/css/sass/main.min.css?v=20211221850047" />








<script>
	var customAdobeTrackingPageLoadObj = {};
	if (typeof ddo !== "undefined") {initAdobePageTrackingHeader();}
	function adobeVideoCommenceVidyard(player) {
		var commenceEvent = {
			successFlag: 1,
			statusCode: 0,
			errorType: "Success_Admit",
			linkDestinationUrl: window.location.href,
			mediaId: player.uuid,
			mediaFriendlyName: player.metadata.name,
			videoType: "VOD",
			mediaPlayerName: "Vidyard",
			mediaCategory: "Security",
			mediaType: "Video",
			mediaClass: "Video",
			videoLengthTotal: player.metadata.length_in_seconds
		};
		if (typeof ddo !== "undefined") {
			ddo.pushEvent('video', 'Video_Commence', commenceEvent);
		}
	}
	function adobeVideoUpdateVidyard(player) {
		var updateEvent = {
			successFlag: 1,
			statusCode: 0,
			errorType: "Success_Admit",
			linkDestinationUrl: window.location.href,
			mediaId: player.uuid,
			mediaFriendlyName: player.metadata.name,
			videoType: "VOD",
			mediaPlayerName: "Vidyard",
			mediaCategory: "Security",
			mediaType: "Video",
			mediaClass: "Video",
			videoLengthTotal: player.metadata.length_in_seconds,
			videoLengthViewed: Math.floor(player.status.currentTime),
			videoProgressPercent: Math.ceil((player.status.currentTime / player.metadata.length_in_seconds) * 100)
		};
		if (typeof ddo !== "undefined") {
			ddo.pushEvent('video', 'Video_Update', updateEvent);
		}
	}

	function initAdobePageTrackingHeader() {
		ddo.disableAutoPageLoad();
		document.addEventListener('click', function (event) {
			var target = event.target;
			if (!target.href || !target.text) { return true; }
			var linkEvent = {
				slotFriendlyName: "link-click",
				contentFriendlyName: "Link Click",
				mediaCategory: "Security"
			};
			linkEvent.linkName = target.text;
			linkEvent.linkDestinationUrl = target.href;
			if (target.href.indexOf('#watch-') >= 0) {
				linkEvent.slotFriendlyName = 'watch-video';
				linkEvent.contentFriendlyName = 'Watch Video';
				linkEvent.linkName = 'Watch Video';
			}
			ddo.pushEvent("linkClick", "Link_Click", linkEvent);
		});
		
		customAdobeTrackingPageLoadObj['page.location.url'] = '/blogs/labs-research/revils-new-linux-version';


		
		
		    customAdobeTrackingPageLoadObj['page.category.siteSubSection1'] = 'blogs';
		


		
		
			customAdobeTrackingPageLoadObj['page.category.siteSubSection2'] = 'labs-research';
		



		
		
			customAdobeTrackingPageLoadObj['page.category.siteSubSection3'] = 'revils-new-linux-version';
		


		
		

		
		


		
			customAdobeTrackingPageLoadObj['page.media.objective'] = 'Awareness';
		

		
	}
</script>


<script type="text/javascript">
    var _elqQ = _elqQ || [];
    _elqQ.push(['elqSetSiteId', '1086385399']);

    _elqQ.push(['elqUseFirstPartyCookie', 'cyber-tracking.att.com']);

    _elqQ.push(['elqTrackPageView', window.location.href]);

    (function () {
        function async_load() {
            var s = document.createElement('script'); s.type = 'text/javascript'; s.async = true;
            s.src = '//img03.en25.com/i/elqCfg.min.js';
            var x = document.getElementsByTagName('script')[0]; x.parentNode.insertBefore(s, x);
        }
        if (window.addEventListener) window.addEventListener('DOMContentLoaded', async_load, false);
        else if (window.attachEvent) window.attachEvent('onload', async_load);
    })();
</script>


	<link rel="alternate" type="application/rss+xml" title="AlienVault Open Threat Exchange Blog" href="/site/blog-all-rss" />

	<style>
	
	
	.section-breadcrumb ol {
    margin-top: 0px !important;
    margin-bottom: 10px;
	}
	
	.flexible-layout .section-breadcrumb ol li a,
	.flexible-layout .section-breadcrumb ol li{
    	color: #000;
    	font-size: 12px;
	}
	
	.section-breadcrumb .glyphicon {
    font-size: 10px;
    line-height: 10px;
    font-weight: 300;
    color: #000!important;
	}

	.blog-author-info {
		width: 70%;
		float: left;
		color: #191919;
	}

	.blog-subscribe-grid ul {
		margin-left: 0px;
		margin-bottom: 0px;
		padding-left: 0px;
	}

	.blog-subscribe-grid ul li {
		list-style-type: none;
		line-height: 20px;
	}

	.blog-subscribe-grid ul li a {
		color: #c6ced5;
		font-size: 14px;
		text-decoration: none;
	}

	.blog-subscribe-grid ul li a:hover {
		text-decoration: underline;
	}

	.blog-content-area img {
		width: 100%!important;
		height: auto!important;
	}

	.blog-promo-item {
		clear: both;
		overflow: hidden;
		margin-bottom: 30px;
	}
	.promo-block .small {
		text-transform: uppercase;
	}

	.blog-promo-item-text {
		width: 345px;
		float: left;
		max-width:100%;
	}

	.blog-promo-item p {
		margin-bottom: 0px!important;
	}






	#blog-promo-block {
		padding-top: 20px;
	}



	/*promo block and sticky classes*/

	.sticky-sidebar {
		top: 147px;
		position: -webkit-sticky; /* Safari */
		position: sticky;
	}
	     .sidebar-search {
			 margin-bottom: 30px;
		 }

         .sidebar-search .search-button {
                width: 100%;
                position: relative;
            }

            .sidebar-search .search-button input {
                padding: 0px;
                margin: 2px 0px 0px 0px;
                position: absolute;
                background: url(https://cdn-cybersecurity.att.com/images/icn-sidebar-search.png) top left no-repeat;
                background-size: 25px 25px;
                width: 25px;
                height: 25px;
                cursor: pointer;
                text-indent: -9999em;
                border: none;
                left: 10px;
                top: 6px;
             }

			.sidebar-search .search-field input {
                border: 0;
                width: 100%;
                height: 30px;
                padding-left: 50px;
				margin-top: 5px;
            }

            .sidebar-search .search-field {
                border: 1px solid #CCCCCC;
                width: 100%;
                height: 40px;
            }

            #q::placeholder {
          		color: #767676!important;
            }

            #blog-subscribe-box {
			height:auto;
            padding: 32px;
            background-image: url('https://cdn-cybersecurity.att.com/images/uploads/backgrounds/blog-email-subscribe-bkg.jpg');
            background-size: cover;
            }

            #blog-subscribe-box h2 {
            color: #fff;
            font-size:32px;
            }

			#blog-subscribe-box p {
				margin-bottom: 10px;
			}






	@media (max-width: 991px) {
            .sidebar-search .search-button input {
                padding: 0px;
                background: transparent;
                cursor: pointer;
                text-indent: -9999em;
                border: none;
                right: 5px;
                top: 5px;
                padding-left: 0px;
             }

            .sidebar-search .search-field input {
             padding-left: 15px;
             }


            }

            	@media (min-width: 768px) and (max-width: 920px){
	.blog-subscribe-grid .btn {
		border-radius: 24px;
	    font-size: 12px;
	    line-height: 18px;
	    border: none;
	    padding: 6px 36px;
	    height: 30px;
	    font-weight: 500;
	}
}


		.blog-content-area p,
		.blog-content-area ul li,
		.blog-content-area ol li{
			font-size: 16px;
			line-height: 20px;
			font-weight: 400;
		}
		.blog-content-area ul li,
		.blog-content-area ol li {
			margin-bottom: 10px;
		}
		
		.blog-content-area {
		margin-top: 30px;
		}
		
		.flexible-layout .section-breadcrumb {
		margin-bottom: 30px;
		}
		
		.blog-detail h1 {
    		color: #000; 
			background: transparent;
    		padding: 0px;
		}
		
		.blog-title-date-author-area {
			padding-bottom: 20px;
			border-bottom: #959595 1px solid;
		}
		
		.blog-body {
		padding-top: 20px;
		}
		
		
		.blog-detail .blog-categories {
    background-color: transparent;
    border-bottom: 1px solid #959595;
    border-top: 1px solid #959595;
    padding: 20px 0px 20px 0px;
    color: #000;
    margin: 30px 0px;
    font-size: 16px;
    line-height: 24px;
	font-weight: 400;
	}
	
	.blog-detail .blog-categories a {
	font-weight: 400;
	}
	
	.blog-share {
	margin-top: 60px;
	text-align: center;
	margin-bottom: 60px;
	}
	
	.blog-listing-social {
		display: block;
	}
	
	#st-1 .st-btn {
	  border-radius: 25px!important;
	  border: none;
	  cursor: pointer;
	  display: inline-block;
	  font-size: 12px;
	  height: 45px!important;
	  line-height: 40px!important;
	  margin-right: 8px;
	  padding: 0 10px;
	  position: relative;
	  text-align: center;
	  top: 0;
	  vertical-align: top;
	  white-space: nowrap;
	  margin-right: 20px!important;
	}
	
	#st-1 .st-btn > img {
	  display: inline-block;
	  height: 25px!important;
	  width: 25px!important;
	  position: relative;
	  top: 10px;
	  vertical-align: top;
	  }
	  
	  #st-1 .st-btn[data-network='email'] {
	  	background-color: #e0752d!important;
	  }
	  
	  .st-first {
	  	margin-left: 20px!important;
	  }
	
	</style>

</head>

	<body class="listing-blog-entry-id-7333">
			<!-- Google Tag Manager (noscript) -->
<noscript><iframe src='https://www.googletagmanager.com/ns.html?id=GTM-KLJDXJN'
height='0' width='0' style='display:none;visibility:hidden'></iframe></noscript>
<!-- End Google Tag Manager (noscript) -->
<script src='https://www.att.com/scripts/adobe/prod/detm-container-ftr.js' type='text/javascript'></script>


		<header id="header" class="navbar navbar-fixed-top">

	<style>
@media (max-width: 543px) {
	.hide-on-mobile {
		display: none;
	}
}
</style>

<div id="news-banner">
    <div class="container-fluid">
        <div class="row vcenter">
            <div class="col-sm-12">

                <div id="news-headline-link">
					<a href="/products/strategy-and-roadmap/sase-readiness" class="text-white">
						Start your SASE readiness consultation today.
						<span class="hide-on-mobile">Learn more</span> &LongRightArrow;
					</a>
                </div>
				<div id="search-contact">
					<ul class="list-unstyled header_nav_top_list">
						<li class="header_nav_top_list_item"><a id="top-nav-support" href="/support">Support</a></li>
						<li class="header_nav_top_list_item"><a id="top-nav-contact" href="/contact">Contact</a></li>
						<li class="header_nav_top_list_item search">
							<form action="/search-results" method="get" id="top-search-form" __bizdiag="113" __biza="WJ__"><input name="q" id="top-search-form-text" type="text" placeholder="Search" aria-label="Search"><button type="submit"><span class="glyphicon glyphicon-search"></span></button></form>

						</li>
					</ul>
				</div>
            </div>
        </div>
    </div>
</div>






	<div id="header-container" class="container-fluid">
		<div id="header-logo">
			<div class="logo-globe"><a href="https://business.att.com" target="_blank"><img src="https://cdn-cybersecurity.att.com/images/uploads/logos/att-globe.svg" alt="AT&amp;T Business" /></a></div>
			<div class="att-business"><a href="https://business.att.com" target="_blank"><img src="https://cdn-cybersecurity.att.com/images/uploads/logos/att-business-web.svg" alt="AT&amp;T Business" /></a></div>
			<div class="att-cybersecurity"><a href="/"><img src="https://cdn-cybersecurity.att.com/images/uploads/logos/att-cybersecurity-web.svg" alt="AT&amp;T Cybersecurity" /></a></div>
		</div>

		<button type="button" class="header_toggle_nav navbar-toggle collapsed" data-toggle="collapse" data-target="#header-nav" aria-expanded="false">
			<span class="sr-only">Toggle navigation</span>
			<span class="avicon avicon-bars"></span>
			<span class="avicon avicon-close"></span>
		</button>
		
		
			<a href="/contact" id="header-cta" class="hidden-md hidden-lg btn btn-blue btn-sm">Contact us</a>
		

		<nav class="navbar-collapse collapse" id="header-nav">
			<ul class="nav navbar-nav list-unstyled">
				<li class="nav-item mobile-search visible-sm visible-xs">
					<form action="/search-results" method="get" id="mobile-search-form" __bizdiag="113" __biza="WJ__"><input name="q" id="mobile-search-form-text" type="text" placeholder="Search" aria-label="Search"><button class="sr-only" type="submit">Search</button></form>
				</li>
				<li class="nav-item has-dd products">
					<a id="main-nav-products" href="/products" class="dropdown-toggle" data-toggle="collapse" role="button" aria-expanded="false" data-target="#products-dd">Products<span class="glyphicon glyphicon-chevron-up"></span><span class="glyphicon glyphicon-chevron-down"></span>
					</a>
					<div class="nav-dropdown collapse" id="products-dd">
						<div class="dd-multi-col container-fluid">
							<ul class="list-unstyled sub-nav">
									<li id="first-sub-cyber-strategy-risk"><a href="/categories/cybersecurity-consulting-services" class="first-level">Cybersecurity Consulting Services</a>
										<div class="desktop-subnav open">
											<ul class="list-unstyled">
												<li class="second-sub-heading">Cyber Strategy</li>
												<li class="second-sub-link"><a href="/products/strategy-and-roadmap">Strategy and Roadmap Planning</a></li>

												<li class="second-sub-link"><a href="/products/security-assessment">Enterprise Security Assessment Services</a></li>
												<li class="second-sub-link"><a href="/products/risk-based-cyber-posture-assessment">Risk-based Cyber Posture Assessment</a></li>
											</ul>
											<ul class="list-unstyled">
												<li class="second-sub-heading">Risk and Compliance</li>
												<li class="second-sub-link"><a href="/products/security-compliance">Security Compliance</a></li>
											</ul>
											<ul class="list-unstyled">
												<li class="second-sub-heading">Vulnerability and Threat Management</li>
												<li class="second-sub-link"><a href="/products/managed-vulnerability-program">Managed Vulnerability Program</a></li>
												<li class="second-sub-link"><a href="/products/penetration-testing-services">Penetration Testing</a></li>
												<li class="second-sub-link"><a href="/products/adversary-simulation-service">Adversary Simulation Services</a></li>
												<li class="second-sub-link"><a href="/products/incident-response">Incident Response Services</a></li>
											</ul>
											<ul class="list-unstyled">
												<li class="second-sub-heading">CSO Advisory Services</li>
												<li class="second-sub-link"><a href="/products/cybersecurity-iq-training">Cybersecurity IQ Training</a></li>
											</ul>
										</div>
										<div class="mobile-subnav">
											<ul class="list-unstyled sub-nav">
												<li class="second-sub-link"><a href="/products/strategy-and-roadmap">Strategy and Roadmap Planning</a></li>
												<li class="second-sub-link"><a href="/products/security-assessment">Enterprise Security Assessment Services</a></li>
												<li class="second-sub-link"><a href="/products/risk-based-cyber-posture-assessment">Risk-based Cyber Posture Assessment</a></li>

												<li class="second-sub-link"><a href="/products/security-compliance">Security Compliance</a></li>

												<li class="second-sub-link"><a href="/products/managed-vulnerability-program">Managed Vulnerability Program</a></li>

												<li class="second-sub-link"><a href="/products/penetration-testing-services">Penetration Testing</a></li>
												<li class="second-sub-link"><a href="/products/adversary-simulation-service">Adversary Simulation Services</a></li>
												<li class="second-sub-link"><a href="/products/incident-response">Incident Response Services</a></li>
												<li class="second-sub-link"><a href="/products/cybersecurity-iq-training">Cybersecurity IQ Training</a></li>
											</ul>
										</div>
									</li>
                                    <li id="first-sub-managed-security-services"><a href="/categories/managed-security-services" class="first-level">Managed Security Services</a>
                                        <div class="desktop-subnav">
                                            <ul class="list-unstyled">
                                                <li class="second-sub-heading">Network Security</li>
												<li class="second-sub-link"><a href="/products/secure-web-gateway">Secure Web Gateway</a></li>
												<li class="second-sub-link"><a href="/products/secure-remote-access">Secure Remote Access</a></li>
                                                <li class="second-sub-link"><a href="/products/sase-branch-with-fortinet">SASE Branch with Fortinet</a></li>
                                                <li class="second-sub-link"><a href="/products/sase-with-cisco">SASE with Cisco</a></li>
												<li class="second-sub-link"><a href="/products/sase-with-palo-alto-networks">SASE with Palo Alto Networks</a></li>
                                                <li class="second-sub-link"><a href="/products/reactive-ddos-services">Reactive Distributed Denial of Service Defense</a></li>
                                                <li class="second-sub-link"><a href="/categories/network-security">View All</a></li>
                                            </ul>
                                            <ul class="list-unstyled">
                                                <li class="second-sub-heading">Threat Detection</li>
                                                <li class="second-sub-link"><a href="/products/managed-threat-detection-and-response">Managed Threat Detection and Response</a></li>
                                            </ul>
                                            <ul class="list-unstyled">
                                                <li class="second-sub-heading">Endpoint Security</li>
                                                <li class="second-sub-link"><a href="/products/sentinel-one">SentinelOne</a></li>
                                                <li class="second-sub-link"><a href="/products/mobile-iron">MobileIron</a></li>
                                                <li class="second-sub-link"><a href="/products/lookout">Lookout Mobile Endpoint Security</a></li>
                                            </ul>

                                        </div>
                                        <div class="mobile-subnav">
                                            <ul class="list-unstyled sub-nav">
												<li class="second-sub-link"><a href="/products/secure-web-gateway">Secure Web Gateway</a></li>
												<li class="second-sub-link"><a href="/products/secure-remote-access">Secure Remote Access</a></li>
                                                <li class="second-sub-link"><a href="/products/sase-branch-with-fortinet">SASE Branch with Fortinet</a></li>
                                                <li class="second-sub-link"><a href="/products/sase-with-cisco">SASE with Cisco</a></li>
												<li class="second-sub-link"><a href="/products/sase-with-palo-alto-networks">SASE with Palo Alto Networks</a></li>
                                                <li class="second-sub-link"><a href="/products/reactive-ddos-services">Reactive Distributed Denial of Service Defense</a></li>
                                                <li class="second-sub-link"><a href="/products/managed-threat-detection-and-response">Managed Threat Detection and Response</a></li>
                                                <li class="second-sub-link"><a href="/products/sentinel-one">SentinelOne</a></li>
                                                <li class="second-sub-link"><a href="/products/mobile-iron">MobileIron</a></li>
                                                <li class="second-sub-link"><a href="/products/lookout">Lookout Mobile Endpoint Security</a></li>
                                            </ul>
                                        </div>
                                    </li>
									<li id="first-sub-network-security"><a href="/categories/network-security" class="first-level">Network Security</a>
										<div class="desktop-subnav">
											<ul class="list-unstyled">
												<li class="second-sub-heading">AT&T Trusted Internet Access</li>
												<li class="second-sub-link"><a href="/products/secure-web-gateway">Secure Web Gateway</a></li>
												<li class="second-sub-link"><a href="/products/secure-remote-access">Secure Remote Access</a></li>
												<li class="second-sub-link"><a href="/products/network-based-firewall">Network Based Firewalls</a></li>
												<li class="second-sub-link"><a href="/products/premises-based-firewall">Premises Based Firewalls</a></li>
												<li class="second-sub-link"><a href="/products/enhanced-access-security">Enhanced Cybersecurity Services</a></li>
											</ul>
											<ul class="list-unstyled">
												<li class="second-sub-heading">AT&T Infrastructure and Application Protection</li>
												<li class="second-sub-link"><a href="/products/reactive-ddos-services">Reactive Distributed Denial of Service Defense</a></li>
												<li class="second-sub-link"><a href="/products/application-layer-security">AT&T Application Layer Security</a></li>
											</ul>
										</div>
										<div class="mobile-subnav">
											<ul class="list-unstyled sub-nav">
												<li class="second-sub-heading">AT&T Trusted Internet Access</li>
												<li class="second-sub-link"><a href="/products/secure-web-gateway">Secure Web Gateway</a></li>
												<li class="second-sub-link"><a href="/products/secure-remote-access">Secure Remote Access</a></li>
												<li class="second-sub-link"><a href="/products/network-based-firewall">Network Based Firewalls</a></li>
												<li class="second-sub-link"><a href="/products/premises-based-firewall">Premises Based Firewalls</a></li>
												<li class="second-sub-link"><a href="/products/enhanced-access-security">Enhanced Cybersecurity Services</a></li>

												<li class="second-sub-heading">AT&T Infrastructure and Application Protection</li>
												<li class="second-sub-link"><a href="/products/reactive-ddos-services">Reactive Distributed Denial of Service Defense</a></li>
												<li class="second-sub-link"><a href="/products/application-layer-security">AT&T Application Layer Security</a></li>
											</ul>
										</div>
									</li>
									<li id="first-sub-unified-endpoint"><a href="/categories/endpoint-security" class="first-level">Endpoint Security</a>
										<div class="desktop-subnav">
											<ul class="list-unstyled">
												<li class="second-sub-heading">Endpoint Security</li>
												<li class="second-sub-link"><a href="/products/sentinel-one">SentinelOne</a></li>
												<li class="second-sub-link"><a href="/products/mobile-iron">MobileIron</a></li>
												<li class="second-sub-link"><a href="/products/vmware">VMware Workspace ONE®</a></li>
												<li class="second-sub-link"><a href="/products/ibm-maas360">IBM MaaS360</a></li>
												<li class="second-sub-link"><a href="/products/lookout">Lookout Mobile Endpoint Security</a></li>
												<li class="second-sub-link"><a href="/products/mcafee-endpoint-protection">McAfee Endpoint Protection</a></li>
											</ul>
										</div>
										<div class="mobile-subnav">
											<ul class="list-unstyled sub-nav">
													<li class="second-sub-link"><a href="/products/sentinel-one">SentinelOne</a></li>
													<li class="second-sub-link"><a href="/products/mobile-iron">MobileIron</a></li>
													<li class="second-sub-link"><a href="/products/vmware">VMware Workspace ONE®</a></li>
													<li class="second-sub-link"><a href="/products/ibm-maas360">IBM MaaS360</a></li>
													<li class="second-sub-link"><a href="/products/lookout">Lookout Mobile Endpoint Security</a></li>
													<li class="second-sub-link"><a href="/products/mcafee-endpoint-protection">McAfee Endpoint Protection</a></li>
											</ul>
										</div>
									</li>
									<li id="first-sub-threat-detection-response"><a href="/categories/threat-detection-and-response" class="first-level">Threat Detection and Response</a>
										<div class="desktop-subnav">

											<ul class="list-unstyled sub-nav">
												<li class="second-sub-heading">AT&T Threat Solutions</li>
												<li class="second-sub-link"><a href="/products/managed-threat-detection-and-response">Managed Threat Detection and Response</a></li>
												<li class="second-sub-link"><a href="/products/threat-detection-and-responses-for-government">Threat Detection and Response for Government</a></li>
												<li class="second-sub-link"><a href="/products/usm-anywhere">USM Anywhere</a></li>
												<li class="second-sub-link"><a href="/products/usm-anywhere-advisors">USM Anywhere Advisors</a></li>
												<li class="second-sub-link"><a href="/products/usm-for-mssp">USM for MSSPs</a></li>
											</ul>

											<div id="products-tdr-menu-image">
												<a href="/alien-labs">
													<img src="https://cdn-cybersecurity.att.com/images/uploads/icons/alien-labs.svg" alt="">
													<p >Powered by<br>AT&amp;T Alien Labs</p>
												</a>
											</div>
										</div>
										<div class="mobile-subnav">
											<ul class="list-unstyled sub-nav">

												<li class="second-sub-heading">AT&T Threat Solutions</li>
												<li class="second-sub-link"><a href="/products/managed-threat-detection-and-response">Managed Threat Detection and Response</a></li>
												<li class="second-sub-link"><a href="/products/threat-detection-and-responses-for-government">Threat Detection and Response for Government</a></li>

												<li class="second-sub-link"><a href="/products/usm-anywhere">USM Anywhere</a></li>
												<li class="second-sub-link"><a href="/products/usm-anywhere-advisors">USM Anywhere Advisors</a></li>
												<li class="second-sub-link"><a href="/products/usm-for-mssp">USM for MSSPs</a></li>

												</ul>
										</div>
									</li>

							</ul>
						</div>
						<!--<div class="dd-bottom visible-lg" id="view-all-products">
							<div class="container-fluid">
								<a href="/products">
									<span class="view-all-text">View All Products &LongRightArrow;</span>
								</a>
							</div>
						</div>-->
					</div>
				</li>
				<li class="nav-item has-dd solutions">
					<a id="main-nav-solutions" href="/solutions" class="dropdown-toggle" data-toggle="collapse" role="button" aria-expanded="false" data-target="#solutions-dd">Solutions<span class="glyphicon glyphicon-chevron-up"></span><span class="glyphicon glyphicon-chevron-down"></span></a>
					<div class="nav-dropdown collapse" id="solutions-dd">
						<div class="dd-multi-col container-fluid">
							<ul class="list-unstyled sub-nav hidden-md hidden-lg">
								<li><a id="main-nav-see-all-solutions-mobile" href="/solutions" class="header_nav_link">See All Solutions</a></li>
							</ul>
							<div id="compliance">
								<div class="menu-header">Compliance</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/solutions/it-compliance-management">Overview</a></li>
									<li><a href="/solutions/gdpr-compliance">GDPR</a></li>
									<li><a href="/solutions/hipaa-compliance">HIPAA</a></li>
									<li><a href="/solutions/iso-27001-compliance">ISO 27001</a></li>
									<li><a href="/solutions/pci-dss-compliance">PCI DSS</a></li>
									<li><a href="/solutions/soc-2-compliance">SOC 2</a></li>
								</ul>
							</div>
							<div id="industry">
								<div class="menu-header">Industry</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/solutions/education">Education</a></li>
									<li><a href="/solutions/energy-sector-security">Energy Sector</a></li>
									<li><a href="/solutions/government">Federal</a></li>
									<li><a href="/solutions/financial-services">Financial Services</a></li>
									<li><a href="/solutions/healthcare">Healthcare</a></li>
									<li><a href="/solutions/manufacturing">Manufacturing</a></li>
									<li><a href="/partners/mssp-program">MSSPs</a></li>
									<li><a href="/solutions/retail">Retail</a></li>
								</ul>
							</div>
							<div id="environment">
								<div class="menu-header">Environment</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/solutions/5g-security-solutions">5G</a></li>
									<li><a href="/solutions/aws-security-and-compliance-management">AWS</a></li>
									<li><a href="/solutions/azure-security-and-compliance-management">Azure</a></li>
									<li><a href="/solutions/cloud-security">Cloud</a></li>
									<li><a href="/solutions/iot-and-mobility-security">IOT/Mobility</a></li>
									<li><a href="/solutions/hybrid-cloud-security">Hybrid</a></li>
									<li><a href="/solutions/network-security">Network</a></li>
									<li><a href="/solutions/remote-workforce-security">Remote Workforce</a></li>

								</ul>
							</div>
							<div id="core-capabilities">
								<div class="menu-header">Security Use Cases</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/solutions/intrusion-detection-system">Intrusion Detection</a></li>
									<li><a href="/solutions/secure-access-service-edge">Secure Access Service Edge</a></li>
									<li><a href="/solutions/secure-web-gateway">Secure Web Gateway</a></li>
									<li><a href="/solutions/siem-platform-solutions ">SIEM Platform Solutions</a></li>
									<li><a href="/solutions/extended-detection-and-response">XDR</a></li>
									<li><a href="/solutions/zero-trust-architecture">Zero Trust Architecture</a></li>

								</ul>
							</div>
						</div>
						<div class="dd-bottom visible-md visible-lg" id="view-all-solutions">
							<div class="container-fluid">
								<a href="/solutions">
									<span class="view-all-text">View All Solutions &LongRightArrow;</span>
								</a>
							</div>
						</div>
					</div>
				</li>
				<li class="nav-item has-dd partners">
					<a id="main-nav-partners" href="/partners" class="dropdown-toggle" data-toggle="collapse" role="button" aria-expanded="false" data-target="#partners-dd">Partners<span class="glyphicon glyphicon-chevron-up"></span><span class="glyphicon glyphicon-chevron-down"></span></a>
					<div class="nav-dropdown collapse" id="partners-dd">
						<div class="dd-multi-col container-fluid">
							<ul class="list-unstyled sub-nav hidden-md hidden-lg">
								<li><a id="main-nav-partners-mobile" href="/partners/become-a-partner">Become a Partner</a></li>
							</ul>
							<div id="become-a-partner">
								<div class="menu-header">Become a Partner</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/partners">All Partner Programs</a></li>
									<li><a href="/partners/mssp-program">MSSP Program</a></li>
									<li><a href="/partners/resellers">Reseller Program</a></li>
									<li><a href="/partners/partner-portal/">Partner Portal Login</a></li>
								</ul>
							</div>

							<div id="find-a-partner">
								<div class="menu-header">Find a Partner</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/partners/find-partner">Find an MSSP</a></li>
									<li><a href="/partners/locator">Find a Reseller</a></li>
									<li><a href="/partners/certified-implementation-partners">Professional Services</a></li>
								</ul>
							</div>
							<div id="technology-partners">
								<div class="menu-header">Technology Partners</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/app">USM Anywhere Integrations</a></li>
									<li><a href="/partners/technology-partners">OTX Partners</a></li>
								</ul>
							</div>
						</div>
						<div class="dd-bottom visible-md visible-lg" id="view-all-partners">
							<div class="container-fluid">
								<a href="/partners/become-a-partner">
									<span class="view-all-text">Become a Partner &LongRightArrow;</span>
								</a>
							</div>
						</div>
					</div>
				</li>
				<li class="nav-item has-dd resources">
					<a id="main-nav-resources" href="/resource-center#language_en" class="dropdown-toggle" data-toggle="collapse" role="button" aria-expanded="false" data-target="#resources-dd">Resources<span class="glyphicon glyphicon-chevron-up"></span><span class="glyphicon glyphicon-chevron-down"></span></a>
					<div class="nav-dropdown collapse" id="resources-dd">
						<div class="dd-multi-col container-fluid">

							<div id="resources-menu-image" class="visible-lg">
								<img src="https://cdn-cybersecurity.att.com/images/uploads/thehub-thumbnail.jpg">
								<p>Explore The Hub, our home for all virtual experiences</p>
								<a href="https://hub.att.com/expo-hall/cybersecurity/">Explore now ⟶</a>
							</div>

							<ul class="list-unstyled sub-nav hidden-md hidden-lg">
								<li><a id="main-nav-resources-mobile" href="/resource-center#language_en">View All Resources</a></li>

							</ul>

							<div id="product-resources">
								<div class="menu-header">Product Resources</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/resource-center#content_customer-stories">Customer Stories</a></li>
									<li><a href="/resource-center#content_product-brief">Product Briefs</a></li>
									<li><a href="/resource-center#content_product-demo">Product Demos</a></li>
									<li><a href="/resource-center#content_product-review">Product Reviews</a></li>
									<li><a href="/resource-center#content_solution-brief">Solution Briefs</a></li>
									<li><a href="/resource-center#content_use-cases">Use Cases</a></li>

									<li><a id="free-trial" href="/products/usm-anywhere/free-trial">Free Trial</a></li>
								</ul>
							</div>
							<div id="security-resources">
								<div class="menu-header">Security Resources</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/resource-center#content_analyst-reports">Analyst Reports</a></li>
									<li><a href="/blogs">Blogs</a></li>
									<li><a href="/resource-center#content_ebook">eBooks</a></li>
									<li><a href="/resource-center#content_video">Videos</a></li>
									<li><a href="/resource-center#content_webcast">Webcasts</a></li>
									<li><a href="/resource-center#content_white-paper">White Papers</a></li>
									<li><a href="/resource-center#content_industry-reports">Industry Reports</a></li>
								</ul>
							</div>
							<div id="customer-resources">
								<div class="menu-header">Customer Resources</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="https://success.alienvault.com/">Success Center</a></li>
									<li><a href="/certification">Certification</a></li>
									<li><a href="/customer-success">Customer Success</a></li>
									<li><a href="/documentation">Documentation</a></li>
									<li><a href="/partners/certified-implementation-partners">Professional Services</a></li>
									<li><a href="/support">Support Overview</a></li>
									<li><a href="/training">Training</a></li>
								</ul>
							</div>
							<div id="browse-by-topic">
								<div class="menu-header">Browse by Topic</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/resource-center#category_incident-response">Incident Response</a></li>
									<li><a href="/resource-center#category_intrusion-detection">Intrusion Detection</a></li>
									<li><a href="/resource-center#category_partner-mssp-reseller">Partner: MSSP &amp; Reseller</a></li>
									<li><a href="/resource-center#category_regulatory-compliance">Regulatory Compliance</a></li>
									<li><a href="/resource-center#category_soc">Security Operations Center</a></li>
									<li><a href="/resource-center#category_siem-log-management">SIEM &amp; Log Management </a></li>
									<li><a href="/resource-center#category_threat-detection">Threat Detection</a></li>
									<li><a href="/resource-center#category_threat-intelligence">Threat Intelligence</a></li>
								</ul>
							</div>
						</div>

						<div class="dd-bottom visible-md visible-lg" id="view-all-resources">
							<div class="container-fluid">
								<a href="/resource-center#language_en">
									<span class="view-all-text">View All Resources &LongRightArrow;</span>
								</a>
							</div>
						</div>

					</div>
				</li>
				<li class="nav-item alien-labs">
					<a id="main-nav-alien-labs" href="/alien-labs" class="">AT&T Alien Labs</a>
				</li>
				<li class="nav-item visible-sm visible-xs">
					<a id="main-nav-contact" href="/contact">Contact</a>
				</li>
				<li class="nav-item support visible-sm visible-xs">
					<a id="main-nav-support" href="/support">Support</a>
				</li>

			</ul>
		</nav>

	</div>

	<div class="container-fluid visible-md visible-lg">
		
		
			<a id="main-nav-free-tools" class="header-nav-btn btn margin-bottom10" href="/pricing/request-quote">Get price</a>
		


	</div>
</header>

						




			<main class="blog-detail flexible-layout">
		<section id="blog-top-subnav" class="category-subnav">
	<div class="container-fluid">
		<div class="row">
			<div class="blog-top-subnav-wrap">
				<ul id="blog-top-subnav-list">
					<li>Categories:</li>
					<li class=""><a
							href="/blogs">All blogs</a></li>
					<li class=""><a
							href="/blogs/security-essentials">Security essentials</a></li>
					<li class=""><a
							href="/blogs/labs-research">AT&T Alien Labs research</a></li>
				</ul>
				<div class="blog-top-subnav-mobile-wrap">
					<a href="#" class="ddm-toggle collapsed" data-toggle="collapse"
						data-target="#blog-top-subnav-mobile">Categories <i class="down"></i></a>
					<ul id="blog-top-subnav-mobile" class="collapse">
						<li class=""><a
							href="/blogs">All blogs</a></li>
						<li class=""><a
								href="/blogs/security-essentials">Security essentials</a></li>
						<li class=""><a
								href="/blogs/labs-research">AT&T Alien Labs research</a></li>
					</ul>
				</div>
			</div>
		</div>
	</div>
</section>

				<section class="full-width-block">

					<div class="container-fluid">

						<div class="row flx-container">
							<div class="col-sm-7">
								<div class="blog-content-area">
									<div class="section-breadcrumb">
										  <ol class="m-bread-crumb-list l-bread-crumb-list" itemscope="" itemtype="http://schema.org/BreadcrumbList">

											  <li itemprop="itemListElement" itemscope="" itemtype="http://schema.org/ListItem">
												  <a itemprop="item" href="https://cybersecurity.att.com">
													  <span itemprop="name" style="padding-right: 10px;">AT&T Cybersecurity</span> <span class="glyphicon glyphicon-chevron-right"></span></a>
												  <meta itemprop="position" content="1">
											  </li>
											  <li itemprop="itemListElement" itemscope="" itemtype="http://schema.org/ListItem">
												  <a itemprop="item" href="https://cybersecurity.att.com/blogs">
													  <span itemprop="name" style="padding-left: 10px;">Blog</span></a>
												  <meta itemprop="position" content="2">
											  </li>
										  </ol>
									  </div>
									<div class="blog-title-date-author-area">
										<h1>REvil’s new Linux version</h1>
										<div class="date">July 1, 2021 &nbsp;|&nbsp; <a href="/blogs/author/fmartinez">Fernando Martinez</a></div>
									</div>
									<div class="blog-body">
										<p><em>This blog was jointly authored with Ofer Caspi.</em></p>

<h2>Executive summary</h2>

<p>The ransomware-as-a-service (RaaS) operation&nbsp;behind REvil have become one of the most prolific and successful threat groups since the ransomware first appeared in May 2019. REvil has been primarily used to target Windows systems. However, new samples have been identified targeting Linux systems. AT&amp;T Alien Labs&trade; is closely monitoring the ransomware landscape and has already identified four of these samples in the wild during the last month, after receiving a <a href="https://twitter.com/VK_Intel/status/1409598638981058564?s=20" target="_blank">tip</a>&nbsp;from <a href="https://twitter.com/malwrhunterteam/status/1409577829289934851?s=20" target="_blank">MalwareHuntingTeam</a>. The purpose of this blog is to share recent findings and a summary of the adversary, malware family, and&nbsp;detection options.</p>

<h2>Key Takeaways:</h2>

<ul>
	<li>REvil ransomware authors have expanded their arsenal to include Linux ransomware, which allows them to target ESXi and NAS devices.</li>
	<li>The new Linux version has similarities to the Windows version, which has impacted companies such as JBS, Acer, and Travelex, as already <a href="https://www.zdnet.com/article/fbi-attributes-jbs-ransomware-attack-to-revil/" target="_blank">reported</a> by the FBI and the media.&nbsp;</li>
</ul>

<h2>Background</h2>

<p>REvil is also known as Sodinokibi or Sodin. It is a ransomware family operated as a ransomware-as-a-service (RaaS). Deployments of REvil were first observed in April 2019, exploiting a published vulnerability in Oracle WebLogic (CVE-2019-2725). Since then, REvil has become one of the most prolific RaaS groups, <a href="https://www.zdnet.com/article/fbi-attributes-jbs-ransomware-attack-to-revil/" target="_blank">after being attributed ransom attacks to JBS</a>, <a href="https://www.bleepingcomputer.com/news/security/computer-giant-acer-hit-by-50-million-ransomware-attack/" target="_blank">Acer</a>, <a href="https://www.bbc.com/news/business-51017852" target="_blank">Travelex</a>, and the most recent one U.K.-based fashion brand <a href="https://threatpost.com/fcuk-fashion-medical-diagnostics-revil/167245/" target="_blank">French Connection</a>&nbsp;this week.</p>

<table style="border-collapse:collapse">
	<tbody>
		<tr>
			<td colspan="3" style="background-color:#efefef; border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:2px solid black; height:28px; width:624px">
			<p style="text-align:center"><b>REVIL Victims</b></p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:none; width:208px">
			<p style="text-align:center"><b>Company</b></p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:208px">
			<p style="text-align:center"><b>Industry</b></p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:208px">
			<p style="text-align:center"><b>Country</b></p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:none; width:208px">
			<p>National Western Life</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:208px">
			<p>Financial</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:208px">
			<p>United States</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:none; height:30px; width:208px">
			<p>Eurecat (Eurecat SA)</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; height:30px; width:208px">
			<p>Energy</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; height:30px; width:208px">
			<p>France, United States</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:none; height:30px; width:208px">
			<p>Light S.A.</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; height:30px; width:208px">
			<p>Energy</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; height:30px; width:208px">
			<p>Brazil</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:none; width:208px">
			<p>Quest Worldwide</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:208px">
			<p>Consulting</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:208px">
			<p>Australia</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:none; width:208px">
			<p>Brown Forman Corporation</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:208px">
			<p>Food and Beverage Services</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:208px">
			<p>United States</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:none; width:208px">
			<p>Arafmi</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:208px">
			<p>Healthcare</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:208px">
			<p>Australia</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:none; width:208px">
			<p>4datanet.com</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:208px">
			<p>Information Technology</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:208px">
			<p>United States</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:none; width:208px">
			<p>malabs.com</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:208px">
			<p>Technology</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:208px">
			<p>United States</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:none; width:208px">
			<p>Viva Resorts</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:208px">
			<p>Hospitality</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:208px">
			<p>United States</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:none; width:208px">
			<p>Schramm Inc.</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:208px">
			<p>Manufacturing</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:208px">
			<p>United States</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:none; width:208px">
			<p>CAT RICAMBI SR</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:208px">
			<p>Automotive</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:208px">
			<p>Italy</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:none; width:208px">
			<p>Quanta Computer</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:208px">
			<p>Information Technology</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:208px">
			<p>Taiwan</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:none; width:208px">
			<p>JBS</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:208px">
			<p>Food and Beverage Services</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:208px">
			<p>Brasil, United States</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:none; width:208px">
			<p>Acer</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:208px">
			<p>Information Technology</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:208px">
			<p>Taiwan</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:none; width:208px">
			<p>Travelex</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:208px">
			<p>Financial</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:208px">
			<p>United Kingdom</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:none; width:208px">
			<p>French Connection</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:208px">
			<p>Fashion</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:208px">
			<p>United Kingdom</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:none; width:208px">
			<p>Grupo Fleury</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:208px">
			<p>Healthcare</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:208px">
			<p>Brazil</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid black; border-left:2px solid black; border-right:2px solid black; border-top:none; width:208px">
			<p>Invenergy</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:208px">
			<p>Energy</p>
			</td>
			<td style="border-bottom:2px solid black; border-left:none; border-right:2px solid black; border-top:none; width:208px">
			<p>United States</p>
			</td>
		</tr>
	</tbody>
</table>

<p>&nbsp;</p>

<p>Ransomware-as-a-service is a method for individuals to purchase prebuilt malware families for their own malicious use. RaaS has been sold on the dark web and has been the approach used by a variety of other criminal groups, such as&nbsp;DarkSide. One thing to keep in mind is RaaS is not limited to buyers who lack their own capabilities. For example, a highly skilled adversarial team supporting a nation state could make use of RaaS families to gain access into a targeted network to avoid pre- and post- compromise attribution and objective identification.</p>

<h2>Analysis</h2>

<p>The threat actors behind REvil ransomware have expanded their arsenal to include Linux ransomware. As announced on a dark web blog and reported by <a href="https://twitter.com/y_advintel/status/1391450354051653633" target="_blank">AdvIntel</a>&nbsp;in early May 2021, REvil has ported their Windows ransomware version to the Linux architecture.</p>

<p>These software upgrades follow the trend seen in other popular RaaS groups, like DarkSide, where they have added Linux capabilities to include ESXi in their scope of potential targets. The hypervisor ESXi allows multiple virtual machines (VM) to share the same hard drive storage. However, this also enables attackers to encrypt the centralized virtual hard drives used to store data from across VMs, potentially causing disruptions to companies. According to the blog post, in addition to targeting ESXi, REvil is also targeting NAS devices as another storage platform with the potential to highly impact the affected companies.</p>

<p>In late May 2021 the first REvil ransomware samples affecting *nix systems and ESXi were observed in the wild. The samples are ELF64 executables, with similarities to the Windows REvil executable, being the most noticeable among the configuration options.</p>

<p>Before encrypting all the files, REvil runs the esxcli command line tool to list all running ESXi VMs and terminate them. By doing this, the attacker ensures no other VM is handling the files to be encrypted, avoiding corruption issues of the encrypted files. However, the executable has a specific parameter to run in silent mode, which avoids debugging without stopping any VMs.</p>

<p style="text-align:center"><img alt="command to kill VMs" data-original="https://cdn-cybersecurity.att.com/blog-content/command_to_kill_VMs.jpg" /></p>

<p style="text-align:center">Figure 1: ESXi command to kill running VMs, as captured by Alien Labs.</p>

<p>In addition to the above-mentioned parameter, the threat actor can specify the number of threads to use (the default value is 50) and the path to encrypt. (By default, the malware will encrypt the current directory and its subfolders.)</p>

<p>During execution, the malware will first check if its configuration exists. The configuration file format is very similar to the one observed for REvil Windows samples, but with fewer fields. Some of the fields presented in both versions include:</p>

<ul>
	<li>Pk: Base64-encoded value containing the attacker&#39;s public key used to encrypt files</li>
	<li>Sub: 7987 representing the affiliate identifier</li>
	<li>Dbg: Determines if the victim is Russian, terminating the execution if the language set in the victim&rsquo;s system is not the expected one</li>
	<li>Nbody: Ransom note body contents encoded in base64; decoded contents are shown in Figure 3</li>
	<li>Nname: Ransom note filename</li>
	<li>Rdmcnt: Unique value not previously seen in REvil configurations</li>
	<li>Ext: Encrypted extension, which appears to be five random character; the observed extensions include .rhkrc, .qoxaq, .naixq, and . 7rspj.</li>
</ul>

<p style="text-align:center"><img alt="REvil config file" data-original="https://cdn-cybersecurity.att.com/blog-content/revil_config_file.jpg" /></p>

<p style="text-align:center">Figure 2: Hard-coded config file, as captured by Alien Labs.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</p>

<p style="text-align:center"><img alt="REvil ransom note" data-original="https://cdn-cybersecurity.att.com/blog-content/revil_ransom_note.jpg" /></p>

<p style="text-align:center">Figure 3: Hard-coded ransom note after decoding, as captured by Alien Labs.</p>

<p>The malware will loop through the target folder, encrypting the files in it. Before encryption, it will check to see if the file has already been encrypted by looking at the filename extension.</p>

<p>During encryption, the malware will generate a 64 bytes XOR key, based on the pk key given in the config file. It will use this key during the encryption process. After encryption, the malware will write the generated key &ldquo;IV&rdquo; at the end of each file and leave a ransom note in each folder.</p>

<p style="text-align:center"><img alt="REvil encryption" data-original="https://cdn-cybersecurity.att.com/blog-content/revil_encryption.jpg" /></p>

<p style="text-align:center">Figure 4: Main encryption routine, as captured by Alien Labs.</p>

<p style="text-align:center"><img alt="REvil  main encryption" data-original="https://cdn-cybersecurity.att.com/blog-content/revil_main_encryption.jpg" /></p>

<p style="text-align:center">Figure 5: Main encryption routine, as captured by Alien Labs.</p>

<p>The malware will log all the files it goes through, stating if the file was encrypted or if it was unable to encrypt due to OS protection.</p>

<p style="text-align:center"><img alt="REvil encyption logs" data-original="https://cdn-cybersecurity.att.com/blog-content/revil_encyrption_logs.jpg" /></p>

<p style="text-align:center">Figure 6: Encryption logs, as captured by Alien Labs.</p>

<p style="text-align:center"><img alt="REvil execution output" data-original="https://cdn-cybersecurity.att.com/blog-content/REvil_execution_output.jpg" /></p>

<p style="text-align:center">Figure 7: Execution output, as captured by Alien Labs. .</p>

<h2>Conclusion</h2>

<p>The threat actors behind REvil RaaS have rapidly developed a Linux version to compete against the recently released Linux version of DarkSide. It is hard to clarify if these two RaaS are competing against each other or collaborating team members, <a href="https://krebsonsecurity.com/2021/06/justice-dept-claws-back-2-3m-paid-by-colonial-pipeline-to-ransomware-gang/" target="_blank">as stated by other security researchers</a>. Nevertheless, both actors have been very active in the ransomware landscape during the last months, and these upgrades will keep them in the spotlight due to the increased attacking spectrum.</p>

<h2>Appendix A. Detection Methods</h2>

<p>The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research.</p>

<table style="border-collapse:collapse">
	<tbody>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:2px solid #959595; height:27px; width:623px">
			<p>YARA RULES</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:35px; width:623px">
			<pre>
rule REvilLinux&#10;&#10;{&#10;&#10;    meta:&#10;&#10;        author = "AlienLabs"&#10;&#10;        description = "REvil Linux"&#10;&#10;        sha256 = "ea1872b2835128e3cb49a0bc27e4727ca33c4e6eba1e80422db19b505f965bc4  "&#10;&#10;    strings:&#10;&#10;        $func = "File [%s] was NOT encrypted"&#10;&#10;        $sleep = "esxcli"&#10;&#10;        $re = "[%s] is protected by os"&#10;&#10;        $a3 = "Error create note in dir %s"&#10;&#10;    condition:&#10;&#10;        uint32(0) == 0x464C457F and 3 of them&#10;&#10;}</pre>
			</td>
		</tr>
	</tbody>
</table>

<h2>Appendix B. Associated Indicators (IOCs)</h2>

<p>The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the <a href="https://otx.alienvault.com/pulse/60da2c80aa5400db8f1561d5" target="_blank">OTX Pulse</a>. Please note, the pulse may include other activities related but out of the scope of the report.</p>

<p>&nbsp;</p>

<table style="border-collapse:collapse">
	<tbody>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:2px solid #959595; height:27px; width:97px">
			<p>TYPE</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:2px solid #959595; height:27px; width:311px">
			<p>INDICATOR</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:2px solid #959595; height:27px; width:216px">
			<p>DESCRIPTION</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:311px">
			<p>ea1872b2835128e3cb49a0bc27e4727ca33c4e6eba1e80422db19b505f965bc4</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:216px">
			<p>REvil Linux sample</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:311px">
			<p>d6762eff16452434ac1acc127f082906cc1ae5b0ff026d0d4fe725711db47763</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:216px">
			<p>REvil Linux sample</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:311px">
			<p>796800face046765bd79f267c56a6c93ee2800b76d7f38ad96e5acb92599fcd4</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:216px">
			<p>REvil Linux sample</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:311px">
			<p>3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:216px">
			<p>REvil Linux sample</p>
			</td>
		</tr>
	</tbody>
</table>

<div style="page-break-after: always"><span style="display: none;">&nbsp;</span></div>

<h2>Appendix C. Mapped to MITRE ATT&amp;CK</h2>

<p>The findings of this report are mapped to the following <a href="https://attack.mitre.org/" target="_blank">MITRE ATT&amp;CK Matrix</a> techniques:</p>

<ul>
	<li>TA0043: Reconnaissance
	<ul>
		<li>TA1592: Gather Victim Host Information</li>
	</ul>
	</li>
	<li>TA0042: Resource Development
	<ul>
		<li>T1583: Acquire Infrastructure</li>
		<li>T1587: Develop Capabilities</li>
	</ul>
	</li>
	<li>TA0005: Defense Evasion
	<ul>
		<li>T1027: Obfuscated Files or Information</li>
	</ul>
	</li>
	<li>TA0007: Discovery
	<ul>
		<li>T1083: File and Directory Discovery</li>
	</ul>
	</li>
	<li>TA0009: Collection
	<ul>
		<li>T1005: Data from Local System</li>
	</ul>
	</li>
	<li>TA0040: Impact
	<ul>
		<li>T1486: Data Encrypted for Impact</li>
	</ul>
	</li>
</ul>
									</div>
									<div class="blog-related">
									<div class="be-ix-link-block"></div>
									</div>
								</div>
								<div class="blog-share">
									<h3>Share this with others</h3>
									<div class="blog-share-social-icons">
											
										<div class="sharethis-inline-share-buttons"></div>
									</div>
								</div>
							
							
							
								<div class="blog-categories">
								<p style="margin-bottom: 0px;">Tags: <a href="/blogs/tag/malware" title="malware" rel="nofollow">malware</a>, <a href="/blogs/tag/alien+labs" title="alien labs" rel="nofollow">alien labs</a>, <a href="/blogs/tag/ransomware" title="ransomware" rel="nofollow">ransomware</a>, <a href="/blogs/tag/security" title="security" rel="nofollow">security</a>, <a href="/blogs/tag/otx+pulse" title="otx pulse" rel="nofollow">otx pulse</a>, <a href="/blogs/tag/labs" title="labs" rel="nofollow">labs</a>, <a href="/blogs/tag/linux" title="linux" rel="nofollow">linux</a>, <a href="/blogs/tag/raas" title="raas" rel="nofollow">raas</a>, <a href="/blogs/tag/revil" title="revil" rel="nofollow">revil</</p>
								</div>

							</div>
							
							<div class="col-sm-4 col-md-offset-1">
								<div>
									<div class="blog-sidebar-block">
    <form id="searchbox_002748587151982842036:gharkgtx6cu" action="/search-results/blog" class="sidebar-search">
        <input value="002748587151982842036:gharkgtx6cu" name="cx" type="hidden" />
        <input value="FORID:11" name="cof" type="hidden" />
        <div class="search-button">
            <input value="Search" name="sa" type="submit" />
        </div>
        <div class="search-field">
            <input id="q" name="q" type="text" aria-label="Search our blogs" placeholder="Search our blogs" />
        </div>
    </form>
</div>

									<div class="promo-block">
										
													
			<style type="text/css">#blog-promo-block-v2 .blog-promo-item-v2 {
    box-shadow: 1px 1px 5px #D2D2D229;
    border: 1px solid #D2D2D2;
    margin-bottom: 30px;
}
#blog-promo-block-v2 .blog-promo-item-v2 .blog-promo-resource-type-v2 {
    font-size: 14px;
    color: #0568AE;
    font-weight: 500;
    padding: 15px;
    margin: 0;
}
#blog-promo-block-v2 .blog-promo-item-v2 .blog-promo-item-text-v2 {
    margin-bottom:15px;
}
#blog-promo-block-v2 .blog-promo-item-v2 .blog-promo-item-text-v2 a {
    color: black;
    text-decoration: none;
    font-weight: 500;
}
#blog-promo-block-v2 .blog-promo-item-v2 .blog-promo-item-text-v2 p {
   margin: 0 15px;
}

#blog-promo-block-v2 .blog-promo-item-icon-v2 {
   margin: 15px;
   font-size: 16px;
}
#blog-promo-block-v2 .blog-promo-item-icon-v2 .icon-right {
    width: 20px;
    height: 20px;
    border: 1px solid #0568ae;
    border-radius: 20px;
    font-size: 9.5px;
    line-height: 18px;
    font-weight: 400;
    margin-right: 10px;
    padding-left: 4px;
    top: -1px;
}
@media (max-width: 1024px) {
 .blog-promo-item-v2 img {
    display: none;
  }
}
</style>
<div id="blog-promo-block-v2">
<h3>Featured resources</h3>

<div class="blog-promo-item-v2"><img alt="" src="https://cdn-cybersecurity.att.com/images/uploads/resource-images/5g-and-the-journey.jpg" />
<p class="blog-promo-resource-type-v2">INDUSTRY REPORT</p>

<div class="blog-promo-item-text-v2">
<p><a href="/resource-center/industry-reports/cybersecurity-insights-report-tenth-edition">AT&amp;T Cybersecurity Insights&trade; Report:<br />
5G and the Journey to the Edge</a></p>
</div>

<div class="blog-promo-item-icon-v2"><span aria-hidden="true" class="icon-right glyphicon glyphicon-chevron-right">&nbsp;</span> <a href="/resource-center/industry-reports/cybersecurity-insights-report-tenth-edition">Learn more</a></div>
</div>

<div class="blog-promo-item-v2"><img alt="" src="https://cdn-cybersecurity.att.com/images/uploads/resource-images/security-maturity-assessment.jpg" />
<p class="blog-promo-resource-type-v2">SELF ASSESSMENT</p>

<div class="blog-promo-item-text-v2">
<p><a href="/resource-center/security-maturity-assessment?utm_internal=blog-rail-assess">Benchmark your cybersecurity maturity</a></p>
</div>

<div class="blog-promo-item-icon-v2"><span aria-hidden="true" class="icon-right glyphicon glyphicon-chevron-right">&nbsp;</span> <a href="/resource-center/security-maturity-assessment?utm_internal=blog-rail-assess">Explore</a></div>
</div>
</div>
		
										

									</div>
								</div>
							</div>
						</div>
					</div>
				</section>


			</main>


			
			<style>

    /* Sticky button */
    .desktop .sticky_bottom_keeper {
        height: 80px;
    }
    .sticky_bottom_desktop.fixed {
        height: 80px;
    }
    .sticky_bottom_keeper .btn {
        color: #fff;
    }
    .sticky_bottom_keeper .btn-white {
        border: 2px solid #fff;
    }
    .sticky_bottom_keeper .btn-white.btn-border {
        background: transparent;
    }




    .line.line-8 {
        height: 8px;
    }

    .hh .sticky_bottom_keeper {
        display: none;
    }


</style>
<div class="sticky_bottom_keeper">

    <div class="sticky_bottom sticky_bottom_desktop ibp">
        <a href="/pricing/request-quote?utm_internal=sb_quote" class="btn btn-border btn-white btn-rounded btn-with-arrow">Get price</a>
        <a href="/products/usm-anywhere/free-trial?utm_internal=sb_freetrial_modal" class="btn btn-border btn-white btn-rounded btn-with-arrow">Free trial</a>

    </div>

</div>

			
		


		<footer id="footer" class="hidden-print">
  <div class="container-fluid">
    <div class="row">
      <div class="col-sm-6 col-md-3">
        
        <div class="footer_logo"><a href="https://business.att.com" target="_blank" rel="noopener"><img src="data:image/svg+xml;utf8,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20width%3D%22263px%22%20height%3D%2256px%22%3E%3Crect%20fill%3D%22none%22%20width%3D%22263%22%20height%3D%2257%22%2F%3E%3C%2Fsvg%3E" data-original="https://cdn-cybersecurity.att.com/images/uploads/logos/att_biz_hz_pref_rgb_white.png" alt="AT&T Business"></a></div>
        <div class="footer_featured">

          <div class="footer_featured_title">From the Blog</div>
          <article class="footer_featured_article">
            <div class="footer_featured_article_author clearfix">
	            
										<img src="data:image/svg+xml;utf8,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20width%3D%22150px%22%20height%3D%22150px%22%3E%3Crect%20fill%3D%22none%22%20width%3D%22150%22%20height%3D%22150%22%2F%3E%3C%2Fsvg%3E" data-original="/avatars/uploads/avatar_377_1.jpeg" width="150" height="150" alt="Ofer Caspi" />
									
              <div class="footer_featured_article_author_data">
                <h4>Ofer Caspi</h4>
                <time datetime="2021-02-23">Dec 23, 2021</time>
              </div>
            </div>
            <h3><a href="https://cybersecurity.att.com/blogs/labs-research/holiday-shopping-get-an-amazing75-discount-offer-a-case-study-on-a-suspicious-websiteoffering-special-holiday-sales" id="footer-link-blog-post">Holiday shopping? Get an amazing 75% discount offer? A case study on evaluating a special holiday sale  </a></h3>
          </article>
          <a id="footer-link-blog-all" href="/blogs" class="footer_featured_more">Explore All Blog Posts
            &#8250;</a>
        </div>
        

        <div class="social-style">
          <a href="https://www.twitter.com/attcyber/" class="social-link-twitter" target="_blank">Twitter</a>
          <a href="https://www.linkedin.com/company/attcybersecurity/" class="social-link-linkedin" target="_blank">Linkedin</a>
          <a href="https://www.facebook.com/ATTCyber/" class="social-link-facebook" target="_blank">Facebook</a>
          <a href="https://www.youtube.com/c/attcybersecurity" class="social-link-youtube" target="_blank">Youtube</a>
          <a href="https://www.instagram.com/attbusiness/" class="social-link-instagram" target="_blank">Instagram</a>
        </div>
      </div>

      <div class="col-sm-6 col-md-3">
        <div class="footer_links">
          <div class="heading">Who We Are</div>
          <ul>
            <li><a id="footer-link-labs" href="/alien-labs">Alien Labs</a></li>
            <li><a id="footer-link-customers" href="/who-we-are/customers">Customers</a></li>
            <li><a id="footer-link-careers" href="/who-we-are/careers">Careers</a></li>
            <li><a id="footer-link-contact" href="/contact">Contact Us</a></li>
          </ul>
        </div>

        <div class="footer_links">
          <div class="heading">News</div>
          <ul>
            <li><a id="footer-link-news-room" href="/who-we-are">Newsroom</a></li>
            <li><a id="footer-link-events" href="/who-we-are/events">Events</a></li>
            <li><a id="footer-link-blogs" href="/blogs">Blogs</a></li>
          </ul>
        </div>

        <div class="footer_links">
          <div class="heading">Partners</div>
          <ul>
            <li><a id="footer-link-partners" href="/partners">Partner Programs</a></li>
            <li><a id="footer-link-partner-portal" href="/partners/partner-portal/">Partner Portal</a></li>
          </ul>
        </div>
      </div>

      <div class="col-sm-6 col-md-3">
        <div class="footer_links">
          <div class="heading">Products</div>
          <ul>
		  	<li><a id="footer-link-mtdr" href="/products/managed-threat-detection-and-response">AT&T Managed Threat Detection and Response</a></li>
            <li><a id="footer-link-usm-anywhere" href="/products/usm-anywhere">USM Anywhere</a></li>
            <li><a id="footer-link-usm-mssp" href="/products/usm-for-mssp">USM for MSSPs</a></li>
            <li><a id="footer-link-otx" href="/open-threat-exchange">Open Threat Exchange (OTX)</a></li>
            <li><a id="footer-link-ossim" href="/products/ossim">OSSIM</a></li>

          </ul>
        </div>



        <div class="footer_links">
          <div class="heading">Solutions</div>
          <ul>
            <li><a id="footer-link-cloud-security" href="/solutions/cloud-security-monitoring">Cloud Security Monitoring</a></li>
            <li><a id="footer-link-threat-detection" href="/solutions/threat-detection">Threat Detection</a></li>
            <li><a id="footer-link-ids" href="/solutions/intrusion-detection-system">Intrusion Detection</a></li>
            <li><a id="footer-link-siem" href="/solutions/siem-platform-solutions">SIEM platform solutions</a></li>
            <li><a id="footer-link-vulnerability" href="/solutions/vulnerability-assessment-remediation">Vulnerability
                Assessment</a></li>
            <li><a id="footer-link-all-solutions" class="btn-with-arrow" href="/solutions">See All Solutions</a></li>
          </ul>
        </div>
      </div>

      <div class="col-sm-6 col-md-3">
        <div class="footer_links">
          <div class="heading">Resources</div>
          <ul>
            <li><a id="footer-link-resources" href="/resource-center">Resources</a></li>
            <li><a id="footer-link-blog" href="/blogs">Blogs</a></li>
            <li><a id="footer-link-reference-guide" href="https://www.business.att.com/content/dam/attbusiness/guides/att-information-and-network-security-customer-reference-guide.pdf" target="_blank">Customer Reference Guide</a></li>

          </ul>
        </div>

        <div class="footer_links">
          <div class="heading">Customer Success</div>
          <ul>
            <li><a id="footer-link-support" href="/support">Support &amp; Services</a></li>
            <li><a id="footer-link-customer-portal" href="https://success.alienvault.com" target="_blank">Success Center</a></li>
            <li><a id="footer-link-documentation" href="/documentation">Documentation Center</a></li>
            <li><a id="footer-link-classroom-training" href="/training">Training</a></li>
            <li><a id="footer-link-certification" href="/certification">Certification</a></li>
          </ul>
        </div>

        <div class="footer_contact">
          <a href="/contact" id="footer-button-contact" class="btn btn-blue margin-bottom20">Contact us</a>
        </div>
      </div>
    </div>
    <div class="footer_legal">
      <p class="footer_legal_copy">&copy; Copyright 2021</p>
      <ul class="footer_legal_links">
        <li><a id="footer-link-privacy" href="/legal/privacy-policy">Privacy Policy</a></li>
        <li><a id="footer-link-terms" href="/terms/website-terms-of-use07may2018">Website Terms of Use</a></li>
        <li><a id="footer-link-gdpr" href="/legal/gdpr">GDPR</a></li>
        <li><a id="footer-link-cookie" href="/legal/cookie-policy">Cookie Policy</a></li>
        <li><a id="footer-link-personal-info" href="https://about.att.com/csr/home/privacy/rights_choices.html" target="_blank">Do Not Sell My Personal Information</a></li>

      </ul>
    </div>
  </div>
</footer>

<div id="valid_content"></div>

		
	<script src="https://cdn-cybersecurity.att.com/js/v2/imports/blog-bundle.min.js?v=20211221850047" defer></script>






		



<div class="cookie-notice">
    <p>We use cookies to provide you with a great user experience. By using our website, you agree to our <a href="https://www.att.com/privacy">Privacy Policy</a> and <a href="/terms/website-terms-of-use07may2018">Website Terms of Use</a>.</p>
    <a class="cookie-notice-close" href="#" aria-label="Close Cookie Notice"><span class="glyphicon glyphicon-remove"></span></a>
</div>


<!-- WGT-10310 -->

<!-- END WGT-10310 -->

<script type="text/javascript" async src="https://cdn-cybersecurity.att.com/js/v2/imports/vidyard-av.js" ></script>
<script type="text/javascript" defer src="//play.vidyard.com/embed/v4.js"></script>
<script type="text/javascript" defer src="//play.vidyard.com/v1/progress-events.js"></script>




<script>
if (typeof ddo !== "undefined") {initAdobePageTrackingFooter();}

function initAdobePageTrackingFooter() {
    
    customAdobeTrackingPageLoadObj['page.pageInfo.pageTitle'] = document.title.trim();

    

    customAdobeTrackingPageLoadObj['page.pageInfo.friendlyPageName'] = 'CYB '+ document.title.trim() +' Pg';

    customAdobeTrackingPageLoadObj['page.pageInfo.language'] = 'EN';
    customAdobeTrackingPageLoadObj['page.pageInfo.lineOfBusiness'] = 'Business Solutions';
    customAdobeTrackingPageLoadObj['page.category.pageFunction'] = 'Learn';
    customAdobeTrackingPageLoadObj['page.category.pageOwnership'] = 'Business';
    customAdobeTrackingPageLoadObj['page.attributes.applicationName'] = 'CYB';
    customAdobeTrackingPageLoadObj['page.pageInfo.appCode'] = 'ACS';
    customAdobeTrackingPageLoadObj['page.category.siteSection'] = 'CYB';
    customAdobeTrackingPageLoadObj['page.category.siteSection'] = 'CYB';
    customAdobeTrackingPageLoadObj['page.media.class'] = 'Text';
    customAdobeTrackingPageLoadObj['page.media.category'] = 'Security';
    customAdobeTrackingPageLoadObj['page.location.domain'] = window.location.hostname;
	ddo.pushEvent('pageLoad', 'Page_Load', customAdobeTrackingPageLoadObj);
}
</script>


		<script>
			window.addEventListener('DOMContentLoaded', function() {
				$(window).load(function () {
					var hideSubscribe = AV.Utilities.readCookie('stickyBlogSubscribe');
					// if the cookie hasn't been set...
					if (hideSubscribe == null) {
						setTimeout(function () {
							// make the modal appear
							$('#blog-subscribe-box').fadeIn();
						}, 10000);

						// when the "Close" button is clicked
						$('.blog-subscribe-close-btn').click(function (e) {
							e.preventDefault();
							// set the cookie
							AV.Utilities.setCookie('stickyBlogSubscribe', true, 1);
							$('#blog-subscribe-box').fadeOut();
						});
					}
				});
			});
		</script>

	<script type="text/javascript"  src="/2egU/Wdpn/GK/iIu0/Qw2w/Eab1DJkQ/UQF7/aUkrEWoA/QAUC"></script></body>
</html>
